Thumbnail: click to enlarge

CYANIDE Concept of Operation

As network attacks have increased in number and severity over the past few years, intrusion detection systems have become a necessary addition to the security infrastructure of most organizations.  Moreover, newer forms of cyber networks such as grids, clouds, and sensor webs are particularly vulnerable to cyber attacks (e.g., denial of services) and network intrusion.  However, traditional forms of cyber defense are not suitable to address these kinds of attacks.  Protection against cyber attacks, as well as intrusion detection and recovery, are necessary for critical asset protection and for providing situation awareness of and determining the overall health of a cyber network.

To address these network attacks, Intrusion Detection Systems (IDSs) have been deployed on a number of enterprise networks.  IDSs are software or hardware appliance systems that automate the process of monitoring the events occurring in a computer system or network and analyzing them for signs of security problems.  While there are a number of IDS options available, they have varying degrees of success and varying computational burdens.  In addition, new, hybrid intrusion detection techniques further complicate the selection of the ideal IDS for a given situation and network type.  Most IDS technologies and research, in addition, are distributed over numerous universities and research centers, and few have been implemented in commercial offerings.

KBSI’s Cyber Network Attack and Intrusion Detection and Recovery Environment (CYANIDE) initiative is developing a customizable environment that enables the development, testing and deployment of out-of-band sensing, monitoring, and recovery technologies for combating centralized and distributed cyber attacks on a wide range of information and sensor networks.  The CYANIDE framework will be a Java-based environment that supports a wide range of attack, detection, and recovery modules that are extensible and support new research ideas for cyber exploitation, cyber infrastructure protection, and distributed intrusion detection and recovery.

The CYANIDE technology will assemble, into a common experimentation station, numerous intrusion detection results and the findings of recent and ongoing research on intrusion detection.  CYANIDE will provide the tools necessary to rapidly generate threats and malware, and the technology will monitor and detect attacks and intrusions using different strategies for applications, hosts and networks (information, sensor and grid).  CYANIDE will use centralized, hierarchically distributed and fully distributed strategies, and deploy these strategies over a wide range of cyber networks to provide network situational awareness and to evaluate the performance and effectiveness of each intrusion detection technique.

KBSI’s work in prior/ongoing efforts on SOA-based smart sensor network management with layered visualization (FIST), on establishing trust based on the information that is exchanged between the different nodes of a sensor network (ETHOS), and on executable architecture based systems evaluations (FIEA) will help inform the CYANIDE development.  CYANIDE will act as a knowledge base for applying the right intrusion detection technique for the right situation at hand.